Skip to content

Enable recovery using a subset of recovery keys #879

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Nov 28, 2025
Merged

Enable recovery using a subset of recovery keys #879

merged 6 commits into from
Nov 28, 2025

Conversation

@daniel-weisse
Copy link
Member

@daniel-weisse daniel-weisse commented Nov 20, 2025
edited
Loading

Proposed changes

  • Add a new Manifest config option, RecoveryThreshold, to control the number of recovery secrets required to recover the Coordinator's state
    • If set to 0 or to the number of defined recovery public keys, no behavioral changes are made
    • If set to any other value (smaller than the number of recovery public keys), Shamir's secret sharing is used to generate the encryption key. Recovery can then be performed by providing just RecoveryThreshold number of recovery secrets to the Coordinator

Additional info

@netlify
Copy link

netlify bot commented Nov 20, 2025
edited
Loading

Deploy Preview for marblerun-docs canceled.

Name Link
🔨 Latest commit aa436d8
🔍 Latest deploy log https://app.netlify.com/projects/marblerun-docs/deploys/692993f461742f000848a84b

@daniel-weisse daniel-weisse added the feature This change introduces new functionality label Nov 20, 2025
@daniel-weisse daniel-weisse force-pushed the dw/recovery-shamir-secrets branch from 94db8d8 to b31012d Compare November 20, 2025 15:03
@daniel-weisse daniel-weisse force-pushed the dw/recovery-shamir-secrets branch from b31012d to 1df337c Compare November 27, 2025 12:16
@daniel-weisse daniel-weisse marked this pull request as ready for review November 27, 2025 13:02
@daniel-weisse daniel-weisse force-pushed the dw/recovery-shamir-secrets branch from 1df337c to c418763 Compare November 27, 2025 15:01
thomasten
thomasten reviewed Nov 28, 2025
View reviewed changes
coordinator/clientapi/clientapi.go
}
if currentManifest.Config.RecoveryThreshold != updateManifest.Config.RecoveryThreshold {
a.log.Error("UpdateManifest: Invalid manifest: Recovery threshold cannot be updated")
return nil, 0, errors.New("recovery threshold cannot be updated")
Copy link
Member

@thomasten thomasten Nov 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just to be sure: we will be able to allow updating this together with "Allow updating recovery public keys on manifest update", right?

Copy link
Member Author

@daniel-weisse daniel-weisse Nov 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes.
Its currently blocked since changing the threshold would require re-generating the recovery secrets, which is effectively the same as changing the keys

coordinator/recovery/multi.go
}

// If this was the first secret uploaded, just return
if r.correctSecrets < 2 {
Copy link
Member

@thomasten thomasten Nov 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we compare to the threshold instead?
And we should catch a threshold of 1 in Manifest.Check.

Copy link
Member Author

@daniel-weisse daniel-weisse Nov 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The threshold is unknown for instances in recovery mode.
We could save this information as non-encrypted data, but I'm unsure how that would impact the security of the state

Copy link
Member

@thomasten thomasten Nov 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah yes of course. It's probably not worth then.

coordinator/recovery/multi.go
// validateSecretLength checks whether a provided secret has a valid length (either 16 or 32 bytes),
func (r *MultiPartyRecovery) shamirRecover(secret []byte) (int, []byte, error) {
uploadedSecretHash := Hash(secret)
secretsRemaining := len(r.SecretHashMap) - r.correctSecrets
Copy link
Member

@thomasten thomasten Nov 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can this be based on the threshold instead of the number of all keys?

@daniel-weisse daniel-weisse force-pushed the dw/recovery-shamir-secrets branch from 35a7da4 to aa436d8 Compare November 28, 2025 12:22
@daniel-weisse daniel-weisse merged commit 67add91 into master Nov 28, 2025
11 checks passed
@daniel-weisse daniel-weisse deleted the dw/recovery-shamir-secrets branch November 28, 2025 13:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thomasten thomasten thomasten approved these changes

Assignees

No one assigned

Labels

feature This change introduces new functionality

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@daniel-weisse @thomasten